Security Researchers Prove That Dropbox Can Be Hacked

Two security researchers blew by Dropbox's security features, gained access to private user files and published a paper that explained how they did it.

Their goal was to get Dropbox to create an open source version of itself, which means that anyone could look at its code and verify that the service is secure.

"Dropbox will/should no longer be a black box," the researchers, Dhiru Kholia of Openwall and Przemyslaw Wegrzyn of CodePainters, wrote in their research paper.

There's a few interesting things about this Dropbox take-down. One is that, after Dropbox was hacked about a year ago, it added security features to protect users and make Dropbox more appealing to paying customers like enterprises.

For instance, it added encryption and something called "two-factor authentication" which makes users take extra steps to log into a Dropbox account.

The researchers disabled both of those protections.

More importantly, they "reverse engineered" the portion of Dropbox that runs on a user's computer. That means they looked at Dropbox's programming code. They shouldn't have been able to do that. Dropbox was written in Python using techniques that prevent reverse engineering.

There are a lot of cloud services using Python and these same techniques. This means they all could be at risk.

Ultimately, the researchers want to make Dropbox safer. They are hoping others will help them build a secure, open source method for using Dropbox. This would be freely available for Dropbox to adopt, if it wanted to.

Dropbox says that this research doesn't really put anyone's accounts at risk. A spokesperson gave us this statement:

“We appreciate the contributions of these researchers and everyone who helps keep Dropbox safe. However, we believe this research does not present a vulnerability in the Dropbox client. In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user's Dropbox, open to attacks across the board."